Researchers reveal massive security hole in Google app store that puts millions at risk: 'secret keys' discovered that can reveal user's private information...

• Bug put millions of users at risk

• Team worked with Google, Facebook and others to fix before revealing their work

By MARK PRIGG

A major security flaw in Google's Play Store that could expose user's private data has been revealed by researchers.

The bug, which the team has worked with Google, Facebook and other app makers to fix before revealing it, put millions of users at risk, the researchers said.

The bug would allow hackers to steal user data from Facebook, Amazon and others using 'secret' keys the team uncovered.

+2

The Columbia Engineering Team found thousands of secret keys in android apps (shown by red arrows) that could be used to steal user data

HOW THEY DID IT

The researchers created an app called PlayDrone, which used various hacking techniques to circumvent Google security to successfully download Google Play apps and recover their sources.

They were then able to decompile the apps to see their code.

They then found developers often store their secret keys in their apps software, similar to usernames/passwords info, and these can be then used by anyone to maliciously steal user data or resources from service providers such as Amazon and Facebook.

The research was revealed in a a paper presented—and awarded the prestigious Ken Sevcik Outstanding Student Paper Award—at the ACM SIGMETRICS conference.

Jason Nieh, professor of computer science at Columbia Engineering, and PhD candidate Nicolas Viennot said they were stunned by the scale of their find.

'Google Play has more than one million apps and over 50 billion app downloads, but no one reviews what gets put into Google Play—anyone can get a $25 account and upload whatever they want. Very little is known about what’s there at an aggregate level,' says Nieh

'Given the huge popularity of Google Play and the potential risks to millions of users, we thought it was important to take a close look at Google Play content.'

Nieh and Viennot’s paper is the first to make a large-scale measurement of the huge Google Play marketplace. 

The researchers created an app called PlayDrone, which used various hacking techniques to circumvent Google security to successfully download Google Play apps and recover their sources.

PlayDrone scales by simply adding more servers and is fast enough to crawl Google Play on a daily basis, downloading more than 1.1 million Android apps and decompiling over 880,000 free applications.

+2

Google Play, the Android app store, has more than one million apps and over 50 billion app downloads

Nieh and Viennot discovered all kinds of new information about the content in Google Play, including a critical security problem: developers often store their secret keys in their apps software, similar to usernames/passwords info, and these can be then used by anyone to maliciously steal user data or resources from service providers such as Amazon and Facebook. 

These vulnerabilities can affect users even if they are not actively running the Android apps. 

Nieh claims that even “Top Developers,” designated by the Google Play team as the best developers on Google Play, included these vulnerabilities in their apps.

'We’ve been working closely with Google, Amazon, Facebook, and other service providers to identify and notify customers at risk, and make the Google Play store a safer place,' says Viennot. 

'Google is now using our techniques to proactively scan apps for these problems to prevent this from happening again in the future.'

In fact, Nieh adds, developers are already receiving notifications from Google to fix their apps and remove the secret keys.

Read more: http://www.dailymail.co.uk/sciencetech/article-2664100/Researchers-reveal-massive-security-hole-Google-s-app-store-puts-millions-risk-secret-keys-discovered.html#ixzz35F1ciLc0 

A hugely important new Android feature has been confirmed

By Chris Smith

Google has yet to release its next-gen Android OS version, but it looks like one major feature of the new operating system has been confirmed. Xda-developers has discoveredthat commits made to the AOSP master branch on Wednesday night show that Dalvik will be replaced with ART as default. None of that will make sense to many readers, but more experienced Android fans already know what Dalvik and ART are, and why it’s good news that Android will replace the former with the latter.

Dalvik and ART are the old and new runtimes that execute app instructions inside Android. While Dalvik is a Just-in-Time (JIT) runtime that executes code only when it’s needed, ART – which was introduced in Android 4.4 KitKat and is already available to users – is an Ahead-of-Time (AOT) runtime that executes code before it’s actually needed.

Comparisons between Dalvik and ART on Android 4.4 have shown that the latter brings enhanced performance and battery efficiency, although ART wasn’t ready for prime time when KitKat was launched, so Google choose to make it available as an alternative to developers interested in trying it out. However, it appears that Google has further worked on the code, and will make it available as the default runtime to devices running a future version of Android.

Google is expected to unveil more details about its upcoming Android OS in the near future, quite possibly at I/O 2014 next week.

TAGS:

ANDROID, ART, DALVIK

SOURCE:

XDA-DEVELOPERS

Google Reveals How the Android Wear UI Will Work

When Google announced Android Wear back in March, it illustrated the company’s seriousness about the wearable game. Since then, Google has dropped bread crumbs, slowly painting us a bigger picture of what’s to come with its mobile OS. A new video from the company, released just days before its big I/O conference, outlines some of the main interaction considerations for developers who will be building apps for the inevitable wave of new wrist worn gadgets.

The big takeaway? Interacting with our gadgets is about to get a whole lot simpler. Android Wear’s banner claim is that its interface will free us from the time sucking grid of icons on our smartphones. Instead, the interface will be glanceable; requiring users to engage far less time and attention to get the information they’re looking for.

ANDROID WEAR’S BANNER CLAIM IS THAT ITS INTERFACE WILL FREE US FROM THE TIME SUCKING GRID OF ICONS ON OUR SMARTPHONES. INSTEAD, THE INTERFACE WILL BE GLANCEABLE.

Here’s a quick look at how they’re doing it: The first thing you notice about theAndroid Wear interface is how little there is to notice. In the video’s example of the home screen, you see the time, weather and a “G” icon that will help you navigate to voice or text search. Users simply have to hit the button and say “Ok Google” to make any voice command available.

But it’s not a one-way conversation. Google’s depth of data makes it easy for Android Wear to build a smart context around each user, allowing wearables to know what’s important to a person and when it’s important. For example, based on your calendar or inbox your smartwatch could notify you a few hours before your flight and prompt you to check in.

Another important feature is device-to-device communication. Any notification you get on your phone, you’ll get on your wearable, too. Where a smartwatch diverges from the phone is how it presents that information. Android Wear relies on stacks, which allows developers to bundle multiple notifications together like an inbox, while pages allow more than one glanceable screen of information at a time for one notification. Think of this like flipping through a tiny ebook of notifications. You can combine stacks and pages and reply to any notification through voice activation.

The video covers pretty high-level stuff, but with LG and Motorola already building their own Android Wear smartwatches, you can bet it won’t be long before we get a proper look at what this OS is capable of.

Formula One Legend Michael Schumacher 'Not In a Coma Anymore'

BY ANDY ECKARDT

MAINZ, Germany -- Retired Formula One superstar Michael Schumacher is no longer in a coma and has left the hospital, his manager said Monday.

The racing legend had been treated at a hospital in Grenoble, France, sincesuffering head injuries while skiing in the Alps in December.

Sign up for breaking news alerts from NBC News

Schumacher's manager Sabine Kehm said the German driver was "not in a coma anymore."

In a statement, Kehm said that Schumacher would "continue his long phase of rehabilitation," adding that it would "take place away from the public eye."

She added: "His family would like to explicitly thank all his treating doctors, nurses and therapists in Grenoble as well as the first aiders at the place of the accident, who did an excellent job in those first months."

Schumacher's family also expressed thanks to "all the people who have sent Michael the many good wishes ... We are sure it helped him."

Schumacher, 45, is the most successful driver in Formula One history.

The seven-time world champion was skiing with his son in the French resort of Meribel when he fell and hit his head on a rock.

First published June 16th 2014, 11:04 am

MICHAEL J. FOX - OUTSTANDING LEAD ACTOR IN A COMEDY SERIES...

Android users can now run Firefox OS apps (all six of them)

• By Ryan Whitwam on June 15, 2014 at 11:01 am
• 
• Mozilla’s Firefox OS is based on Gecko — the same core rendering engine that its desktop and mobile Firefox web browsers use. This unified framework goes to the essence of what Firefox and Mozilla are about. Mozilla sees the future of apps and browsing as two sides of the same coin. To push its vision for “Open Web Apps,” Mozilla has rolled out v29 of Firefox for Android, which enables you to download and install Firefox OS marketplace apps on your Android device with no additional configuration.
  When developers create apps for Android or iOS, they need to build them using Java or objective C, respectively. This has traditionally allowed for a more robust set of APIs and vastly improved performance compared to web-only technologies, but things are slowly changing. Firefox OS apps are built using HTML5, CSS, and JavaScript. The upshot of this is that they can run on any platform with the proper rendering engine, in this case Gecko.
  Mozilla isn’t the first company to push web apps on mobile devices as an alternative to native ones. That distinction goes to Palm, which used a similar approach to the app ecosystem on webOS. That didn’t go so well, but the capabilities of browsers have advanced considerably in the last four or five years. Mozilla’s WebAPI documentation provides methods for accessing hardware (camera, battery stats, sensors, etc.) as well as a variety of data management and communication features. The gap between native apps and web apps is more technologically narrow than it once was.
  With the new support for Android, all you need to do is install the updated Firefox browser from Google Play — attempting to grab anything from the FF marketplace with Chrome results in an error. The apps will go through the standard Android installation dialog (packaged as an APK), and even show up in the app drawer. They open like normal apps, but all the rendering is done through Firefox’s Gecko engine. As for usability and performance, web-based apps like this have definitely come a long way over the years. They work, but the design language is much less refined.
  Mozilla hopes that its Open Web App initiative will spur more development of apps based on web technologies. Developers could potentially save themselves a lot of headaches by building apps once with web languages instead of doing the same thing multiple ways for different mobile operating systems. However, cross-platform compatibility is currently limited to Android. Apple doesn’t allow third-party browser engines on iOS (even Chrome for iOS uses the stock WebKit engine), so there’s no way to render Open Web Apps.
• Expanding web apps to Android isn’t Mozilla’s only mobile play. Firefox OS itself is still under development and there are new entry-level smartphones running the software set for release in India (and a few other markets) for as little as $25. Even the super-cheap Moto E can’t compete with that. With Microsoft still faltering, Mozilla’s open approach and entry into big developing markets could potentially earn it a comfortable (but distant) third place slot in the mobile device ecosystem.